ghosts in the wire (or rock out with your hack out)

paypal 2fa bypass by henry hoggard

On October 22, 2016, a two-factor authentication bypass against PayPal was released. If you just intercepted the post back from a form about security questions, the system would accept it and authorize a device to be sent the 2FA code over text messaging. Now, this does require that you have the first part of the authentication process: username and password. But, that’s exactly the part that is weak enough to force the use of 2FA. Basically just opening a rogue email which installs a keylogger or other trojan is enough to leech that out.

Now, PayPal did fix this within a few weeks, but it’s really annoying to know that this system was so easily subverted. Just munge the data in transit and you’ve broken their system. To me, this suggests someone in QA or their security team didn’t do much for security testing against this piece of code before it went to production. And that’s just plain annoying to see. Nor was this designed with security in mind by the developer, either.